Security & Compliance for Law Firms

How Boltcall handles intake calls at a firm that has to get this right

This page summarizes our security and compliance posture for law firms evaluating Boltcall for call intake. It is not a substitute for our Terms of Service or Data Processing Agreement, which govern the relationship.

Intake only — never advice

Boltcall's law firm agent is built with hard rules it cannot be talked out of:

  • Never gives legal advice, in any form — not "in general," not "typically"
  • Never assesses whether a caller has a case, or predicts an outcome
  • Never quotes fees beyond your general structure (e.g. contingency, free consultation)
  • Never tells a caller they may have missed a filing deadline — it collects the date and lets your attorney assess it
  • Never states or implies an attorney-client relationship has been formed
  • Escalates immediately on custody emergencies, domestic violence, or an imminent court date

The agent's job is narrow on purpose: answer the call, collect the facts, book the consultation, and get out of the way. See the full rule set in our Terms of Service, Section 6 (AI Accuracy, Regulated Professions & No Professional Advice).

Confidentiality

Callers are told upfront the call may be recorded and that they're speaking with an AI assistant, not an attorney — both required by law and built into every agent's opening line. The agent is instructed to keep confidentiality front of mind: no case details are shared outside the call record, and sensitive categories (SSN, financial account numbers, medical or criminal history) are flagged as data the agent should not collect during intake.

Whether a specific intake call is protected by attorney-client privilege is a legal question that depends on your jurisdiction and how you use Boltcall — that determination is yours to make, not ours to promise.

Data handling

  • All data is encrypted in transit (TLS 1.2+) and at rest (AES-256)
  • We do not use your callers' conversations to train shared AI models without your consent
  • Access to production systems is restricted by role and requires multi-factor authentication
  • Sub-processors (call/voice infrastructure, hosting, email) are listed in full in our Data Processing Agreement, along with where each one is located
  • You can request a data export or deletion at any time; on termination, data is retained for 30 days for export, then deleted per our Privacy Policy retention schedule

Compliance posture

Boltcall processes data as a processor under Israeli PPL Amendment 13 and EU GDPR where applicable — full detail, including international transfer disclosures, is in the DPA. Enterprise customers can request a countersigned DPA.

What we don't claim: bar association advertising rules, UPL (unauthorized practice of law) requirements, and client-communication rules vary by state and practice area. Boltcall is a tool your firm configures and operates — you remain responsible for using it in a way that complies with the rules governing your practice.

If something goes wrong

If your agent has repeated technical failures (calls dropping, not connecting), our monitoring detects it and emails your firm automatically within the hour — you're not finding out from a missed intake call. Every call is logged with a recording, transcript, and timestamp, so if something needs review, the record exists.

AI is not error-free. It may mishear a name or a callback number — you should treat intake data as a starting point to verify, not a system of record for deadlines. Our liability terms are in Section 11 of the Terms of Service.

Common questions

Does the AI ever give legal advice?

No. It's configured to refuse — see Section 1 above. If a caller pushes, the agent's standard response is to offer a consultation with your attorney, not an opinion.

Do you train your AI models on our calls?

No, not without your explicit consent.

Can we get a signed DPA for our records?

Yes — email privacy@boltcall.org.

Who is liable if the AI makes a mistake on an intake call?

Our Terms of Service set out liability terms, including a cap and an indemnification clause. We'd rather you read the actual terms than a marketing summary of them — see Terms of Service.